Voice Assistants help you with daily chores – be it making an appointment with a client to playing music and more. The market related to voice assistants is full of options: Google, Siri, Alexa, and Bixby. These assistants are activated using voice commands and get things done. For example, you can ask Alexa to play some songs of your choice. These devices can be hijacked and used against the owner of the device. Today, we will learn about Surfing Attacks using Ultrasound waves and the potential problems it poses.
What is a Surfing Attack?
Smart devices are equipped with voice assistants such as Google Home Assistant, Alexa from Amazon, Siri from Apple, and some not-so-popular voice assistants. I could not find any definition anywhere on the Internet, so I define it as follows:
“Surfing attacks refer to hijacking of voice assistants using inaudible sounds such as Ultrasound waves, with an intention to access device owners’ data without the knowledge of owner”.
You might already know that human ears can perceive sounds only between a range of frequencies (20 Hz to 20KHz). If anyone sends audio signals that fall outside the audio spectrum of human ears, the person cannot hear them. The same is true for Ultrasounds. The frequency is beyond the perception of human ears.
The bad guys started using Ultrasound waves to hijack devices such as smartphones and smart homes that use voice commands. These voice commands are at a frequency beyond human perception, allowing hackers to obtain the information they want (which is stored in voice-activated smart devices) with the help of sound assistants. They use inaudible sounds for this end.
For surfing attacks, hackers need not be in sight of the smart device to control it using voice assistants. For example, if an iPhone is set on the table, people assume that voice can move around in the air so if voice command comes through the air, they can notice the hackers. But it is not so because voice waves need just a conductor to propagate.
Know that solid artifacts, too, can help voice propagate as long as they can vibrate. A table made of wood can still pass voice waves through the wood. These are the Ultrasound waves being used as commands to get things done illegally on the target users’ smartphones or other smart devices that use voice assistants such as Google Home or Alexa.
Read: What is a Password Spray Attack?
How do Surfing Attacks work?
Inaudible ultrasound waves can travel through the surface where the machines are kept. For example, if the phone is on a wooden table, all they need to do is to attach a machine to the table that can send ultrasound waves for surfing attack.
Actually, a device is attached to the victim’s table or whatever surface he or she is using to rest the voice assistant on. This device first turns down the volume of smart assistants so that the victims don’t suspect anything. The command comes via the device attached to the table, and the response to the command too is collected by the same machine or something else that may be at a remote place.
For example, a command may be given, “Alexa, please read the SMS I just got.” This command is inaudible to people in the room. Alexa reads out the SMS containing OTP (one-time password) in an extremely low voice. The hijacking device again captures this response and sends it to wherever the hackers want.
Such attacks are called Surfing Attacks. I have tried to remove all technical words from the article so that even a non-techie can understand this problem. For advanced reading, here is a link to a research paper that explains it better.
Read next: What are Living Off The Land attacks?
